Protostar – final1

Information

This level is a remote blind format string level. The ‘already written’ bytes can be variable, and is based upon the length of the IP address and port number.

When you are exploiting this and you don’t necessarily know your IP address and port number (proxy, NAT / DNAT, etc), you can determine that the string is properly aligned by seeing if it crashes or not when writing to an address you know is good.

I can enter what I want in the variable ‘username’ and ‘pw’. As those variables are not sanitized, I can use format string to explore the memory.
To access to this vulnerability, the function logit() needs to be called.

So, I need to send first : username xxxx. Then, I send : login xxxx
Once this is done, I need to check the /var/log/syslog file.
I put the format string attack in ‘pw’.

Fine, I don’t have to overwrite the high value of the GOT entry as I already have 0x0804. The low value is overwrited by 0xa0.
I just have to calculate the difference between what I need 0xa220 and the value 0xa0 already written